Dynamically scalable application firewall deployment for cloud native applications

The invention claimed is: 1. A method comprising: identifying a cloud application running on one or more nodes of a cloud cluster that is externally exposed, the cloud application having a first configuration, wherein one or more agents execute on respective ones of the one or more nodes and is associated with respective ones of one or more containers; modifying the first configuration to redirect network traffic destined for the cloud application to the agents on a first port allocated to the agents for the cloud application, wherein each of the agents has instantiated a web application firewall, wherein the web application firewall is made available for the cloud application based on labelling of those of the containers of at least a subset of the agents with a label that designates the cloud application; determining if a number of the agents on which the web application firewall is made available to the cloud application should be increased or decreased based on determining if a first metric of a plurality of metrics collected by the agents satisfies a first criterion for modifying a number of the agents on which the web application firewall is available for the cloud application, wherein the first criterion indicates a threshold; based on determining that the number of the agents should be increased, increasing the number of the agents based on associating the label with one of the containers in addition to those of the subset of the agents; and based on determining that the number of the agents should be decreased, decreasing the number of the agents based on removing the label from one of those of the containers of the subset of the agents. 2. The method of claim 1 , wherein the threshold corresponds to a maximum value of the first metric, wherein determining if the first metric satisfies the first criterion comprises determining if the first metric exceeds the threshold, and wherein determining that the number of the agents should be increased comprises determining that the first metric exceeds the threshold. 3. The method of claim 1 , wherein the threshold corresponds to a minimum value of the first metric, wherein determining if the first metric satisfies the first criterion comprises determining if the first metric is below the threshold, and wherein determining that the number of the agents should be decreased comprises determining that the first metric is below the threshold. 4. The method of claim 1 , further comprising generating a second configuration for the cloud application to expose the cloud application internally within the cloud cluster with a private network address based, at least in part, on the first configuration. 5. The method of claim 4 , wherein generating the second configuration comprises copying the first configuration and replacing a public network address of the cloud application with a private network address allocated to the cloud application. 6. The method of claim 4 , further comprising modifying a configuration of the agents to direct network traffic allowed to pass by the web application firewall to the cloud application via the private network address of the cloud application. 7. The method of claim 1 , wherein increasing the number of the agents further comprises adding to the cloud cluster a node having deployed an additional agent, wherein associating the label with the one of the containers in addition to those of the subset of the agents comprises associating the label with a container of the additional agent. 8. The method of claim 1 , wherein decreasing the number of the agents further comprises changing a status of a first of the one or more nodes from active to idle. 9. The method of claim 1 further comprising, based on identifying a second cloud application running on the one or more nodes that is externally exposed, modifying a configuration of the second cloud application to redirect network traffic destined for the second cloud application to the one or more agents on a second port allocated to the one or more agents, wherein the second port is different than the first port. 10. The method of claim 1 , wherein the plurality of metrics comprises metrics indicating at least one of memory usage of each of the one or more nodes, central processing unit (CPU) usage of each of the one or more nodes, and an amount of network traffic directed to the cloud application. 11. One or more non-transitory machine-readable media comprising program code for dynamically deploying a web application firewall to secure an application running on a plurality of nodes of a cluster in a cloud, the program code to: based on a determination that the application is externally exposed, generate a first configuration for the application to expose the application internally within the cluster based, at least in part, on a second configuration of the application which exposes the application externally; select at least a first agent of a plurality of agents having instantiated a web application firewall with which to secure the application based, at least in part, on labelling of a first container of the first agent with a label corresponding to the application, wherein each agent of the plurality of agents executes on a respective node of the plurality of nodes, and wherein labelling the first container of the first agent makes the web application firewall available to the application; modify the first configuration to redirect network traffic destined for the application to the first agent; modify a configuration of the first agent to direct network traffic to the application based, at least in part, on a network address of the application indicated in the second configuration; determine whether to increase or decrease a number of the agents having instantiated the web application firewall with which to secure the application based, at least in part, on evaluation of metrics collected by the plurality of agents against one or more criteria indicating one or more thresholds for the metrics; based on a determination that the number of the agents is to be increased, label at least a second container of a second agent of the plurality of agents with the label; and based on a determination that the number of the agents is to be decreased, remove the label from the first container of the first agent. 12. The non-transitory machine-readable media of claim 11 , further comprising program code to allocate a first port for a network address associated with the plurality of agents, wherein the program code to modify the first configuration comprises program code to modify the first configuration to indicate the first port and the label as a destination for external network traffic. 13. The non-transitory machine-readable media of claim 11 , wherein the first configuration comprises a public network address allocated to the application, wherein the program code to generate the second configuration comprises program code to copy the first configuration and replace the public network address with a private network address allocated to the application, and wherein the program code to modify the configuration of the first agent comprises program code to modify the configuration to indicate the private network address of the application. 14. An apparatus comprising: a processor; and a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, based on identification of an application running on a cloud cluster that is externally exposed, modify a first configuration of the application to redirect network traffic destined for the application to one or more agen